Werner Koch and GPG: How can we preserve important, barely funded open-source software?

Some of the Web’s Most Important Infrastructure Is Barely Funded. How Can We Preserve It?

Some of the Web’s Most Important Infrastructure Is Barely Funded. How Can We Preserve It?

Decoding the tech world.
Feb. 12 2015 5:09 PM

The Open-Source Question

Some of the Web’s most important infrastructure is barely funded. How can we preserve it?

the one-man open-source software band.
So many important open-source software developers face a lack of resources and little pay.

Photo illustration by Slate. Photo by Thinkstock

You’d be forgiven for thinking that the tech world is a loathsome hotbed of rapacious venture capitalists, airheaded trend-riders, and publicity hounds. That’s the image presented by much of the tech press, which prizes stories about the Montgomery Burnses of the tech world over ones about its more idealistic denizens.

David Auerbach David Auerbach

David Auerbach is a writer and software engineer based in New York, and a fellow at New America.

Last week, however, brought a story about one of the better angels of our software. ProPublica’s Julia Angwin reported on developer Werner Koch, the German creator of the email encryption software suite GNU Privacy Guard, known as GPG. Popular and free, GPG has achieved wide usage across Linux, MacOS, and Windows, and it is the software Edward Snowden taught journalists such as Glenn Greenwald so that they could communicate without fear of detection. Koch single-handedly started the project in 1997 and has worked with only minimal help. Since 2013, he’s been the only person working on GPG.

To put it mildly, GPG is a very important piece of software, one that many consumers and businesses rely on. It plays a crucial role not just in encrypted email but also in many Linux package management systems (which are responsible for authenticating and retrieving component downloads and updates) and other important tasks on the Web. Koch’s devotion to keeping GPG free, in accordance with the ideals of the free and open-source software movement, or FOSS, have come at a personal cost. Angwin reports that Koch has only made roughly $25,000 a year since 2001, making it tight to support a family of three. The government contracts and grants he’s relied on pay far less than private industry, where software engineer salaries regularly land upward of six figures. “Really I am better at programming than this business stuff,” Koch told Angwin. But within hours of the story’s publication, donations were rolling in: GPG reached a fundraising goal of $137,000, and Facebook and Stripe each pledged $50,000 per year.


Even with these donations, GPG is an amazing bargain. (Compare it with healthcare.gov, which cost more than $1 billion and is far less of a technical achievement—most of that money is pure overhead.) A commenter on Hacker News put it this way:

Why does this guy not get more attention? I've used GPG for what, ten years, I have an issue I use the mailing list and Werner is there answering the question. I look at the commit log on a release and he's all over the place. GPG is a massively important piece of software. Would it exist without him? He is a borderline hero in my book.

It’s heartening that as soon as Koch’s situation became known, people and companies chipped in. What’s unfortunate is that it should take a high-profile article for that to happen, especially when so many important developers faces problems similar to Koch’s. His situation recalls what happened with the free, open-source security library OpenSSL, whose programmers were running it on a shoestring budget until the catastrophic Heartbleed bug revealed just how much we depended on it being well-maintained and bulletproof. Subsequently, big tech companies from Google to IBM pledged hundreds of thousands of dollars to the nonprofit Linux Foundation’s Core Infrastructure Initiative to better fund OpenSSL and similar projects. Koch just received a grant from the Core Infrastructure Initiative, as well.

It’s remarkable how invisible projects like GPG and OpenSSL are to the average user. They’re like electrical wiring or plumbing: You expect them to function without knowing where or how they work. Even the open-source Linux operating system, which runs a large percentage of the world’s servers, is not something most people ever come into direct contact with except via corporate build-outs like Android. So people don’t quite realize how much of the core infrastructure of the computing world is built on a model that looks a lot closer to anarcho-communism than capitalism. The hypercapitalist steamship of Silicon Valley moves on an engine (Linux, primarily) powered by its very antithesis. Android, MacOS, and all those Linux servers are the result of some of the cheapest programming labor ever provided. (It should be said, in turn, that much of Linux and affiliated projects draws on the basic and applied research done by academic and corporate labs like Bell Labs in the 1960s and 1970s.)


Naturally, the steamship prefers to ignore the engine room, or at least take it for granted. The importance of Linux, nonetheless, has led to extensive partnerships between corporations and the Linux Foundation that help ensure that the operating system continues to get needed support. Some programmers work on both decks, contributing to FOSS projects in their spare time while working for a corporation to pay the bills. Some programmers are paid by corporations to work on FOSS projects. Linux and other FOSS efforts have in large part resisted being co-opted through the strength of protections like the GNU Public License, which restrict the proprietary usage of FOSS projects. It was such licenses that led Steve Ballmer to call Linux “a cancer that attaches itself in an intellectual property sense to everything it touches” in 2001. Ballmer wasn’t quite right, however. Ars Technica’s Ron Amadeo wrote an excellent chronicle of Google’s “closed-source creep” on Android, with the company locking down more and more parts of Android without violating its underlying open-source licenses. (Disclosure: I used to work for Google, and my wife still does.)

FOSS infrastructure has three benefits. First, the nonproprietary nature of the software allows for greater compatibility and reuse of individual components, reducing the waste that comes with corporations repeatedly reinventing the wheel for private usage. Second, the availability of the components makes greater opportunities available to startups and underfunded engineers. Third, the openness of the code makes it possible for anyone to take it apart and find problems with it, increasing robustness, which is particularly important for security components.

Yet as Heartbleed showed, that openness doesn’t necessarily guarantee that problems will be found and fixed. People need to take the time and make the effort. Consequently, there exists a real and ongoing tension between corporations and FOSS exponents—a push and pull that is perfectly exemplified by Koch’s recent conundrum. By working outside of the industry, Koch has been free to program according to his ideals, yet the lack of resources has stretched the GPG project thin over the years. GPG could use a full code audit and cleanup, cryptography professor Matt Green told Ars Technica. I looked at the code myself, and although it is a great achievement as the devoted labor of one person (with a bit of help), it could also benefit from refactoring and better documentation to ensure future maintainability—the sort of nice-to-have work that you can only do with the luxuries of time and money. With efforts like Koch’s often having to rely on the magnanimity of corporations, we have to ask: How should FOSS coexist with proprietary software and giant tech megacorporations? Linux has been a resounding success, but it’s unclear whether a similarly comprehensive FOSS infrastructure project could get significant traction today, due to the hypercompetitive tech atmosphere and the goal of corporations to lock in consumers and businesses to their own offerings as quickly as possible. I would welcome nothing more than a FOSS social network to remove the proprietary diggings of Facebook and Twitter, but such a thing seems quite far from realization. (Ello was barely a stumble in a better direction.)

Koch is affiliated with the European branch of the Free Software Foundation, which espouses a purist vision of free software in line with FSF founder Richard Stallman, creator of GNU and GNU Emacs. For Koch, clearly, independence and loyalty to his ideals have trumped both financial interest and the ability to garner resources for GPG. If you think, as I do, that FOSS is both beneficial and sometimes preferable to the venture-capital model of proprietary software development, then the question becomes how to advance it, so that we hear less about the tech world’s Peter Thiels and more about its Werner Kochs.